Microsoft Azure Fundamentals

Posted June 10, 2021 by Adrian Wyssmann ‐ 30 min read

As we start looking into Azure, my employer established a Microsoft Enterprise Skills Initiative. This is my first course and I will summarize for you what I've learned

What is Azure

Azure ist the the cloud computing service from Microsoft. As every other cloud provider it offers a similar set of resources1, 2

azure services
An overview of all azure services (c) Microsoft

Azure offers a web-based portal and a cli to interact with Azure and Azure services. Before being able to access Azure, you need an Microsoft Account and a Subscription. With the free account you have your private subscription but your company might create an additional subscription. Once you have a subscription you can start creating resources - keep in mind every resource costs money, so checkout the prices. So let’s have a look on this relates to each other:

Azure Hierarchy
Hierarchy in Azure (c) Microsoft

On top we have the Management groups, which are containers for one or multiple subscriptions and allow you to manage access, policy, and compliance. Management groups can have multiple levels i.e. they itself can include other management groups:

  • 10,000 management groups can be supported in a single directory.
  • A management group tree can support up to six levels of depth.
  • This limit doesn’t include the Root level or the subscription level.
  • Each management group and subscription can only support one parent.
  • Each management group can have many children.
  • All subscriptions and management groups are within a single hierarchy in each directory.
  • The top-level group is called Root management group

Each subscription groups together user accounts and the resources, and allows you to define limits and quotas for them. Thus every subscription is associated with an Azure Active Directory tenant. They also can have different billing profiles (payments, invoices, …). A user account is associated with one or more subscriptions.

Resources are instances of services that you create, like virtual machines, storage, or SQL databases (see above). Resources are combined into resource groups, which act as a logical container. This allows logical grouping of resources, applying role-based access control (RBAC) permissions, and implies the same lifecycle - deleting a resource group also deletes all resources within.

Resources are managed via the Azure Resource Manager which can be accessed via the Azure portal or other interfaces like Azure CLI. It allows you to manage resources using declarative language and templates.

Azure Resource Manager
the role of Azure Resource MManager (cd) Microsoft

Access and resource organization

Identity and Access management

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access internal (corporate network) and external (cloud applications) resources. There is a free tier as well as payed premium tiers (P1, P2). There are some differences between Azure AD and Active Directory Domain Services including features like application and device management. However with Azure AD Connect, ADDS and Azure AD can be connected together, in order to synchronize user identities between them. This also allow you to use features like SSO, multifactor authentication, and self-service password reset.

Basic multi-factor authentication features are available to Microsoft 365 and Azure Active Directory (Azure AD) administrators for no extra cost. With premium licenses you get MFA also for your users.

With premium license, you also get Conditional Access, a tool which uses policies to grant or block access to resources - they are like if-then statements, if a user wants to access a resource, then they must complete an action. The Conditional Access policies use signals (User group membership, IP Location, Device, Application user wants to access, …) to make a decisions (block access, grant access, grant access but require MFA, device must be compliant).

conditional access
Overview of how conditional access works (c) Microsoft

Azure role-based access control

With Azure role-based access control or Azure RBAC you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

  • Security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources
  • Role definition or role is a collection of permissions of operations that can be performed. Azure offers some built-in roles for generic purposes (Contributor, Owner, Reader, User Access Administrator) as well as resource specific roles.
  • Scope is the set of resources that the access applies to - see Understand scope. This can be
    • A management group (a collection of multiple subscriptions).
    • A single subscription.
    • A resource group.
    • A single resource.
  • A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access.
azure rbac
relationship between roles and scopes (c) Microsoft

Some things to note:

  • permissions are inherited from parent to all child scopes
  • role assignments are transitive for groups
  • with multiple role assignments are “added” to each other, so your effective permissions are the sum of your role
  • there is a limited possibility for deny assignments.

Azure Policy

Azure Policy enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards. This can be individual policies or groups of related policies, known as initiatives. So this works as follows

  1. Create a policy definition.

    Every policy definition has conditions under which it’s enforced. And, it has a defined effect that takes place if the conditions are met.

  2. Assign the definition to resources.

  3. Review the evaluation results.

There are a lot of built-in policies available, but you can define your own policies. See also Azure Policy definition structure for details on the JSON format used for describing the policies.

The difference between Azure Policy and Azure role-based access control are

  • Azure Policy evaluates state by examining properties on resources that are represented in Resource Manager and properties of some Resource Providers
  • Azure RBAC focuses on managing user actions at different scopes

An example of a policy could be to prohibit create resources in US regions. The user might have the permission (RBAC) to create VMs, but when he want to create one in US, then the policy would prohibit him to do so.

Azure Blueprints

Azure Blueprints allows you to defined a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. It is declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:

  • Role assignments
  • Policy assignments
  • Azure Resource Manager templates
  • Resource groups

Resource lock

Resource lock allows you to prevents resources from being accidentally deleted or changed.

  • CanNotDelete means authorized people can still read and modify a resource, but they can’t delete the resource without first removing the lock.
  • ReadOnly means authorized people can read a resource, but they can’t delete or change the resource. Applying this lock is like restricting all authorized users to the permissions granted by the Reader role in Azure RBAC.

Tagging

Yu apply tags (name and a value pair) to your resources, resource groups, and subscriptions, to logically organize them into a taxonomy.

The following picture show the categorization and some examples of available compliance offerings available in Azure:

compliance matrix
Matrix of available compliance categories (c) Microsoft

Beside, there are certain legal documents you should be aware of:

  • Microsoft Privacy Statement explains what personal data Microsoft collects on services, websites, apps, software, servers, and devices, how Microsoft uses it, and for what purposes.

  • Online Services Terms (OST) is a legal agreement between Microsoft and the customer and details the obligations by both parties with respect to the processing and security of customer data and personal data

  • Data Protection Addendum (DPA) defines the data processing and security terms for online services. These terms include:

    • Compliance with laws.
    • Disclosure of processed data.
    • Data Security, which includes security practices and policies, data encryption, data access, customer responsibilities, and compliance with auditing.
    • Data transfer, retention, and deletion.

Further resources to consult:

  • Trust Center provides support and resources for the legal and compliance community.
  • Azure compliance documentation provides you with detailed documentation about legal and regulatory standards and compliance on Azure.
  • Azure Government is a separate, isolated instance of the Microsoft Azure service to address security and compliance needs of US federal agencies, state and local governments, and their solution providers.
  • Azure China 21Vianet is a physically separated instance of cloud services located in China operated by 21Vianet.

Azure regions, availability zones, and region pairs

Resources are created in regions, which are different geographical locations around the globe that contain one or multiple datacenters. This allows you to bring your applications closer to your users. There are also specialized regions for compliance or legal purposes which are physical and logical network-isolated, for example US DoD Central, US Gov Virginia, US Gov Iowa and more or China East, China North, and more.

Availability zones are physically separate datacenters - equipped with independent power, cooling, and networking- within an Azure region. Avaliablity zones are

  • made up of one or more datacenters
  • has an isolation boundary
  • are connected through high-speed, private fiber-optic networks
  • not available in all regions

In addition there are region pairs, whereas each Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away. This allows for replication fo resources, to be prepared for disasters.

Availability Zone
Region and Availability Zone in Azure (c) Microsoft

Migrate to Azure

There are some services which support you to migrate locally hosted services (virtual machines, databases, …) to Azure. Here the most prominent tools.

Azure Migrate

When you plan to migrate to Azure, there are a lot of things to consider. To help you, Microsoft offers with Azure Migrate a free service, that discovers, assesses, and migrates on-premises systems to Azure.

  • performance-based sizing calculations (virtual machine sizing, compute/storage)
  • assess Hyper-V and VMware-based virtual machines, as well as physical servers
  • visualization of dependencies for those machines
  • create groups of machines that can be assessed and migrated together

Azure Migrate requires an collector appliance (VMware or Hyper-V environment) which discovers and collect all information your environment. In addition to get the dependency visualization, you can install Microsoft Monitoring Agent and Dependency Agent on each VM. All this information goes into and Assessment. Based on this information one can the migrate or replicates up to 100 VMs simultaneously to Azure.

Azure Database Migration

Azure Database Migration Service is a payed service, which allows to migrate databases to Azure data platform, either offline (shutting down the source db) or online (continuous synchronization of live data) - latter is more costly. You need

You then first migrate the Schema, and then the Data.

Services

Let’s dig into some of the most prominent services offered by Azure

Azure virtual machines

Virtual Machines allows you to create Linux and Windows virtual machines using based on one of the available images. A VM Azure resource consists of several elements:

  • The VM which is
    • based on an os image
    • has a defined Size i.e. memory, cpu, gpu to be used
    • sits in a dedicate location
  • Storage account for the disks
    • virtual machines will have at least two virtual hard disks (VHDs), one for the operating system and the other one a temporary storage.
    • additional disks can be added
  • Network interface to communicate on the network
    • the interface which connect to the VNets
  • Virtual networks (VNets) (shared with other VMs and services)
    • Virtual networks (VNets) are used in Azure to provide private connectivity between Azure Virtual Machines and other Azure services.
  • Network Security Groups (NSGs) to secure the network traffic
    • Software firewalls to control the traffic flow to and from subnets and to and from VMs. It consist of rules and allow filtering inbound and outbound traffic on the VNet.
  • Public Internet address (optional)
    • Public addresses allow you to connect from anywhere to your instance e.g. using SSH

The following picture visualizes the relation VNets, NSGs and VMs:

relation VNets, NSGs and VMs
relation VNets, NSGs and VMs (c) Microsoft

A good staring point for creating VMs is Compile a checklist for creating an Azure Virtual Machine

By use of Availability sets you can get high availability. An Availability sets is a logical grouping of VMs, where each set is assigned to one or more (20) update domain and one more (3) fault domain by the underlying Azure platform. In case of underlying maintenance update domains are booted in sequence - SWwith a recovery time up to 30 minutes. Thus distributing the machines ensures that not all are booted the same time. The fault domain is a group of virtual machines that share a common power source and network switch. So in case there is an outage/interruption in one domain, the resources in the other domain are still working. The concept also applies for the managed disks attached to the VM.

availability sets
Availability sets with fault and update domain (c) Microsoft

Beside the Availability sets, Backup is another essential part of the disaster recovery. Azure Backup provides a scalable, fully encrypted backup solution for your Azure resources (Azure VMs, Managed Disks, Azure File Shares, …), as well as for On-Premise Resources

At last, there is the option of scale sets, which let you create and manage a group of identical, load-balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule.

Azure App Service

Azure App Service is a fully managed web application hosting platform and enables you to build and host web applications in the programming language of your choice without managing infrastructure:

  • Automatic Secure endpoints
  • Automatically scale your web application to meet traffic demand
  • Built-in load balancing and traffic manager
  • Windows or Linux host os

It supports different types of apps:

  • Web apps: ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python
  • API apps: EST-based web APIs by using your choice of language and framework, with full Swagger support and the ability to package and publish your API in Azure Marketplace
  • WebJobs: Run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app.
  • Mobile apps: Mobile Apps feature of App Service allows you to quickly build a back end for iOS and Android apps

To deploy your application you can do this automatically and manually e.g. by using

  • Azure DevOps

  • Github workflows

  • Bitbucket action

  • OneDrive

  • Dropbox

  • az command-line interface via az webapp up or ZIP deploy az webapp deployment source config-zip

  • WAR deploy using curl and http://<your-app-name>.scm.azurewebsites.net/api/wardeploy

    curl -v -X POST -u [username]:[password] https://<your-app-name>.scm.azurewebsites.net/api/wardeploy --data-binary @helloworld.war
    
  • FTP/S

Azure Container Instances or Azure Kubernetes Service

Azure Container Instances is a PaaS service, that allows you to run containers.

Azure Kubernetes Service or AKS is a container orchestration service to deploy large volumes of containers. When you create an AKS cluster, a control plane is automatically created and configured at no cost. You only pay for the nodes attached to the AKS cluster. The control plane and its resources reside only on the region where you created the cluster.

aks control plane and nodes
Kubernetes control plane and nodes in AKS (c) Microsoft

To run your workload you need a node. An AKS cluster has at least one node, an Azure virtual machine (VM) that runs the Kubernetes node components and container runtime. The size of this VM defines the storage CPUs, memory, size, and type available. AKS clusters using Kubernetes version 1.19+ for Linux node pools use containerd.

aks components
Kubernetes components in AKS (c) Microsoft

Even so AKS offers managed clusters, you are the one responsible to do the lifecycle of your cluster and performing periodic upgrades to the latest Kubernetes version - see also Upgrade an Azure Kubernetes Service (AKS) cluster.

In addition to managed control plane, AKS also provides some interesting features:

Azure Red Hat OpenShift is a PaaS service that offers RedHat OpenShift, which extends Kubernetes by simplify the management of IT resources as application install, update and failover through the use of Operators.

Serverless Computing

Serverless means that Azure manages the underlying infrastructure automatically i.e. allocation and deallocation of resources based on demand. The developer creates only a function, which contains both code and metadata about its triggers and bindings, which is then schedules to run and scales the number of compute instances required to handle the incoming events. It also uses micro-billing, means you have to pay only for the time your code runs.

There are two types of serverless compute:

  • Azure Functions is a serverless compute service, that allows to host a single method or function that runs in response to an event. It’s suitable for stateful (Durable Functions), as well as stateless functions can execute code in almost any modern language.
  • Azure Logic Apps is a serverless orchestration service, which requires no code to be written, but instead, the app is designed in a web-based designer. The app uses connectors to link triggers to actions. A trigger is an event (such as a timer) that causes an app to execute actions (steps/tasks). The outcome is a new message to be sent to a queue, or an HTTP request, which can be used by other Azure services.

There are some differences and you might check analyze the decision criteria to understand where to use what:

Functions Logic Apps
State Normally stateless, but Durable Functions provide state Stateful
Development Code-first (imperative) Designer-first (declarative)
Connectivity About a dozen built-in binding types. Write code for custom bindings Large collection of connectors.
Enterprise Integration Pack for B2B scenarios. Build custom connectors
Actions Each activity is an Azure function.
Write code for activity functions
Large collection of ready-made actions
Monitoring Azure Application Insights Azure portal, Log Analytics
Management REST API, Visual Studio Azure portal, REST API, PowerShell, Visual Studio
Execution context Can run locally or in the cloud Runs only in the cloud

Windows Virtual Desktop

Windows Virtual Desktop is a desktop and application virtualization service that enables users to use a cloud-hosted Windows Desktop form anywhere. One important difference to virtual machine is, that Microsoft offers Azure Reserved Virtual Machine Instances, which saves up to 72 percent versus pay-as-you-go pricing.

Azure networking services

Azure networking services is a virtual networking services on Azure which enables Azure resources to communicate with each other, with users on the internet, and with your on-premises client computers.

  • Isolation and segmentation allows isolated networks with private IP addresses
  • Internet communications by assigning a public IP to a resource, one can communicate with directly from internet
  • Communicate between Azure resources enables Azure resources to communicate securely with each other
  • Communicate with on-premises resources using a VPN Gateway
    • Point-to-site virtual private network
    • Site-to-site virtual private networks links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network
    • Azure ExpressRoute provides dedicated private connectivity to Azure that doesn’t travel over the internet. Be careful though, even so the connectivity is private, it’s not encrypted.
  • Route network traffic using routing tables or Border Gateway Protocol Border Gateway Protocol (BGP).
  • Filter network traffic using Network Security Groups (NSGs) or Network virtual appliances.
  • Connect virtual networks by linking virtual networks together by using virtual network peering, and user-defined Routing (UDR) to control the routing tables.

VPN Gateway can be either one of the following:

  • Policy-based VPNs uses a set of static IP address to define which packet goes trough the tunnel.
  • Route-based VPNs uses IPSec tunnel, which are modeled as a network interface or virtual tunnel interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet

Azure Storage services

Azure Storage services offers different storage options for different purposes, each one with security, redundancy, and scalable access to the stored data in mind. In order to be able to use azure Storage you have to create an Azure Storage account.

  • Azure Disk Storage provides solid-state drives (SSDs) or traditional spinning hard disk drives (HDDs) for virtual machines. There are two types of disks

    • Unmanaged Disks require a storage account before you can create a new disk. It gives you full control over all the data but you have to take care by yourself for encryption, data recovery, …. There is also a hard limit of IOPS.
    • Managed Disks are managed by Microsoft Azure and you don’t need any storage account while created new disk. Since the storage account is managed by Azure you do not have full control of the disks that are being created. Compared to unmanaged disks, managed disks abstracts underlying storage account/blob associated with the VM disks, have no throttling, has role based access control and storage encryption by default
  • Azure Blob Storage is an unstructured object store which allows to store text or binary data, not limited to common file formats. Objects are stored in blobs, which belong to a container.

    azure blob storage
    Azure blog storage and containers (c) Microsoft
  • Azure Files Storage is a managed file share service offering Server Message Block (SMB) and Network File System (NFS) shares. You can access the files from anywhere in the world, by using a URL that points to the file.

Based on the usage scenario (access frequency, retention, …) for your blob data, Azure Blob Access tiers allows you to optimize the costs by defining an access tier, which impacts the availability, latency and minimum storage duration:

  • Hot - Optimized for storing data that is accessed frequently.
  • Cool - Optimized for storing data that is infrequently accessed and stored for at least 30 days.
  • Archive - Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements, on the order of hours.

Azure database and analytics services

Azure offers the following services:

  • Azure Cosmos DB is a globally distributed, multi-model database service for schema-less data, which can be scaled for throughput and storage independently
  • Azure SQL Database is a fully managed platform as a service (PaaS) database engine that handles most of the database management functions such as upgrading, patching, backups, and monitoring without user involvement
  • Azure database for MySQL offers MySQL Community Edition database engine, versions 5.6, 5.7, and 8.0 as a service with high availability, scale as needed in seconds, security and automatic backups
  • Azure Database for PostgreSQL offers PostgreSQL as a service with high availability, scale as needed in seconds, security and automatic backups. Azure also provides Hyperscale (Citus) option, to horizontally scale queries across multiple machines by using sharding.
  • Azure SQL Managed Instance offers many of the same features as Azure SQL Database, however, Azure SQL Managed Instance provides some additional features like non-standard collations or cross database transactions

AS for big data and analytics there are some additional services

  • Azure Synapse Analytics is an enterprise analytics service for big data and warehouses. It brings together the best of SQL technologies used in enterprise data warehousing, Spark technologies used for big data, Pipelines for data integration and ETL/ELT, and deep integration with other Azure services such as Power BI, CosmosDB, and AzureML.
  • Azure HDInsight is a fully managed, open-source analytics service for enterprises (cloud distribution of Hadoop components) which can use frameworks like Hadoop, Apache Spark, Apache HBase, Apache Hive, LLAP, Apache Kafka, Apache Storm and Azure Machine Learning
  • Azure Databricks offers big data analytics and AI with optimized Apache Spark
  • Azure Data Lake Analytics is an on-demand analytics job service that simplifies big data. Instead of deploying, configuring, and tuning hardware, you write queries to transform your data and extract valuable insights.

Azure IoT services

IoT devices are usually equipped with sensors that collect data e.g. environmental sensors, barcode scanners, …. With azure IoT services these devices can be connected to Azure trough the internet, to collect and aggregate the data, allowing to create reports and alerts. In addition you may also publish firmware or software updates to these devices.

  • Azure IoT Hub is a managed services, that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages to
    • receive messages from a device and route them to other Azure services
    • remote control of connected devices
    • monitor device health
  • Azure IoT Central sits on top of the hub and provides and is a web-based user interface to perform the activities mentioned above. In addition it allows for creation of dashboards and alerts. If you already have a software for that, you may not need it.
  • Azure Sphere creates an end-to-end, highly secure IoT solution and consists of 3 elements
    • Azure Sphere micro-controller unit (MCU), which processes the operating system and signals from attached sensors
    • customized Linux operating system (OS), handles communication with the security service
    • Azure Sphere Security Service (AS3), to make sure that the device has not been maliciously compromised

You may check analyze the decision criteria to help you deciding what to use.

AI services

Artificial Intelligence (AI) is a category of computing that adapts and improves its decision-making ability over time based on its successes and failures

AI services offers these options

  • Azure Machine Learning is a platform for making predictions. It consists of tools and services that allow you to connect to data to train and test models to find one that will most accurately predict a future result.
  • Azure Cognitive Services provides prebuilt machine learning models that enable applications to see, hear, speak, understand, and even begin to reason.
    • Language services: Allow your apps to process natural language with prebuilt scripts, evaluate sentiment, and learn how to recognize what users want.
    • Speech services: Convert speech into text and text into natural-sounding speech. Translate from one language to another and enable speaker verification and recognition.
    • Vision services: Add recognition and identification capabilities when you’re analyzing pictures, videos, and other visual content.
    • Decision services: Add personalized recommendations for each user that automatically improve each time they’re used, moderate content to monitor and remove offensive or risky content, and detect abnormalities in your time series data.
  • Azure Bot Service and Bot Framework are platforms for creating virtual agents that understand and reply to questions just like a human. However in the backend it will use services like Azure Cognitive Services

You may check analyze the decision criteria to help you deciding what to use

Observability

Azure offers the following services to monitor your Azure resources:

Azure Advisor evaluates your Azure resources and makes recommendations for all your subscriptions, to help improve reliability, security, and performance, directly available in your Azure Portal. The recommendations are divided into five categories:

  • Reliability: Used to ensure and improve the continuity of your business-critical applications.
  • Security: Used to detect threats and vulnerabilities that might lead to security breaches.
  • Performance: Used to improve the speed of your applications.
  • Cost: Used to optimize and reduce your overall Azure spending.
  • Operational Excellence: Used to help you achieve process and workflow efficiency, resource manageability, and deployment best practices.

Azure Monitor is an observability platform which helps you to collect, analyze and act on the telemetry data of your cloud and on-premise infrastructure.

Azure Monitor
Azure Monitor (c) Microsoft
  • Application Insights an is an extensible Application Performance Management (APM) service to monitor your live applications, by tracing series of related events that follow a user request through a distributed system. It detects performance anomalies, and includes powerful analytics tools to help you diagnose issues.

  • VM Insights monitors the performance and health of your virtual machines and virtual machine scale sets, including their running processes and dependencies on other resources

  • Container insights monitors the performance of container workloads to the Azure container related. It supports clusters running the Linux and Windows Server 2019 operating system incl. container runtimes Docker, Moby, and any CRI compatible runtime (e.g. CRI-O and ContainerD)

    container insights
    Container Insights (c) Microsoft
  • Log Analytics, based on Azure Data Explorer, allows you to query logs using Kusto query language (KQL), not only of your resources but also your applications if your data are ingested

  • Offers smart alerts, where related alerts, which represent a single issue, are combined automatically together using machine learning.

  • action rules let you suppress or trigger specific actions

  • Collect data from monitored resources using Azure Monitor Metrics. A metrics are event data (numerics) and thus stores in a time-series database which is optimized for analyzing time-stamped data.

  • Create visualizations with Azure dashboards and workbooks - similar to Grafana Dashboards.

Azure Service Health provides a personalized view of the health of the Azure services, regions, and resources in addition to status.azure.com. It does offer status, official outage root cause analyses (RCAs) and you can set up alerts for outages and planned maintenance of services in the regions which you are using.

Dev Tooling

  • Azure DevOps Services is a complete suite for software developers and offers:
    • Azure Repos is a centralized source-code repository
    • Azure Boards is an agile project management suite that includes Kanban boards, reporting, and tracking ideas and work from high-level epics to work items and issues.
    • Azure Pipelines is a CI/CD pipeline automation tool.
    • Azure Artifacts is a repository for hosting artifacts, such as compiled source code, which can be fed into testing or deployment pipeline steps.
    • Azure Test Plans is an automated test tool that can be used in a CI/CD pipeline to ensure quality before a software release.
  • Azure DevTest Labs provides an automated means of managing the process of building, setting up, and tearing down virtual machines (VMs) that contain builds of your software projects.
  • Azure Lab Services lets you create managed lab types - currently only classroom labs.

You also can combine Azure DevOps Services with other services like Github which for example also offers source code storage and pipelines (GitHub Actions).

Management tools

We already know about the Azure Portal, the web-based user interface to access all features of Azure. But there are also other tools available. One is the Azure mobile app where you can access your Azure resources and do

  • Monitor the health and status of your Azure resources.
  • Check for alerts, quickly diagnose and fix issues, and restart a web app or virtual machine (VM).
  • Run the Azure CLI or Azure PowerShell commands to manage your Azure resources.

Azure PowerShell offers cmdlets to interact with Azure and Azure resources. If you are working on a Windows machine and you are familiar with Powershell, this makes it a good choice to make your work repeatable and automatable. It can be installed using and msi or as follows

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

Azure CLI is another option for repeatable tasks using scripting, especially if you work in Linux or Mac, but also Windows.

Azure Resource Manager templates (ARM templates) allows you to describe the resources you want to use, in declarative JSON format, allowing you to automate setup and orchestration of your Azure infrastructure. An example to create a storage account:

"resources": [
  {
    "type": "Microsoft.Storage/storageAccounts",
    "apiVersion": "2019-04-01",
    "name": "mystorageaccount",
    "location": "westus",
    "sku": {
      "name": "Standard_LRS"
    },
    "kind": "StorageV2",
    "properties": {}
  }
]

It offers great flexibility, so that you don’t need to rely on a single template but can have nested templates and even shared templates

arm nested templates
Example of a nested template (c) Microsoft

These templates can then be used in the Azure Portal, Azure Powershell.Azure CLI, REST API, Button in GitHub repository or Azure Cloud Shell.

Azure offers with Azure REST API a REST endpoint which allows you to manage your resources with HTTP requests. You need to be authenticated in order to do so.

At last Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources, offering the same flexibility as Bash or PowerShell console. This shell is accessible via Azure Portal.

Security and network security

Azure Security Center

Azure Security Center is a unified infrastructure security management system to see security relevant information for all your services in the cloud and on-premise. It has a free tier but certain feature have to be payed:

  • Monitor security settings to identify and perform the hardening tasks recommended as security best practices and implement them across your machines, data services, and apps
  • Automatically apply security policies on management groups, across subscriptions and for a whole tenant. For example you can have an application control rule, which enforces that only certain applications run on a particular VM.
  • Provide security recommendations that are based on your current configurations, resources, and networks.
  • Continuously monitor your resources and perform automatic security assessments to identify potential vulnerabilities before those vulnerabilities can be exploited.
  • Use machine learning to detect and block malware from being installed on your virtual machines (VMs) and other resources. You can also use adaptive application controls to define rules that list allowed applications to ensure that only applications you allow can run.
  • Detect and analyze potential inbound attacks and investigate threats and any post-breach activity that might have occurred.
  • Provide just-in-time access control for network ports. Doing so reduces your attack surface by ensuring that the network only allows traffic that you require at the time that you need it to.

Azure Sentinel

Azure Sentinel is the security information event management (SIEM) and security orchestration automated response (SOAR) solution. It offers

Azure Key Vault

Azure Key Vault is a tool to help you keep sensitive information secure:

  • Secret Management to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. It als
  • Encryption Keys Management to easily create and control the encryption keys
  • SSL/TLS Certificate Management to provision, manage, and deploy your public and private SSL/TLS certificates for cloud and on-premise resources

These secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated hardware security modules (HSM). For Kubernetes secrets-store-csi-driver-provider-azure my be interesting as it

allows you to get secret contents stored in Azure Key Vault instance and use the Secret Store CSI driver interface to mount them into Kubernetes pods.

Azure Dedicate Host

Azure Dedicate Host is a service that provides physical servers as a resource, on which you can host VMs. They belong to a specific region, availability zone, and fault domain. Benefits

  • Hardware isolation at the physical server level, only your VMS run on it
  • Deployed in same data centers and share the same network and underlying storage infrastructure as other, non-isolated hosts
  • Opt-in to a maintenance window to reduce the impact to your service
  • Use your own licenses
  • Multiple servers can be grouped to a host group

Network Security

Azure Firewall managed, cloud-based network security service, to centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. You can monitor incoming and outgoing traffic and block traffic based on rules:

Azure Firewall
Azure Firewall (c) Microsoft

It includes the following features:

With Azure Application Gateway you also have a web application firewall (WAF) that provides centralized, inbound protection for your web applications against common exploits and vulnerabilities.

Azure DDoS Protection offers protection against Distributed denial of service (DDoS) attacks with a free basic and a payed standard tier. The Basic service tier ensures that Azure infrastructure itself is not affected during a large-scale DDoS attack. The Standard tier provides additional measures to deal and prevent DDoS attacks.

Whereas Azure Firewall and Azure DDoS Protection are meant for outside sources, we also have Network Security Groups (NSGs) - as mentioned earlier in the post - which filter network traffic to and from Azure resources within an Azure virtual network.

Cost Management and SLA

Costs in Azure should be properly planned, by using Total Cost of Ownership (TCO) Calculator. Furthermore, you can do the following to control and lower costs:

  • Azure Reservations offers discounted prices on certain Azure services up to 72% if you reserve services and resources by paying in advance.
  • Create resources in low-cost locations and regions.
  • Assign tags to resources categorize costs by departments or environments.
  • Resize underutilized virtual machines.
  • Deallocate virtual machines during off hours.
  • Delete unused resources.
  • Migrate from IaaS to PaaS services.

Each component has it’s own Service-level agreements. Because using multiple components adds an extra level of complexity and slightly increases the risk of failure, to calculate the overall SLA for your services is to combine them by multiplying the SLA of each component. To improve the availability of the application, avoid having any single points of failure. So instead of adding more virtual machines, you can deploy one or more extra instances of the same virtual machine across the different availability zones in the same Azure region.

Conclusion

There is a lot to know if you want to operate on Azure. I tried to summarize what I have read and learnt in the Azure Fundamentals (AZ-900). It’s a good starting point to dig in further into the topics relevant for you and your role.